So I have been following instructions on setting up Client Certificate Authentication in Apache2 w/ mod_ssl. This is solely for the purpose of testing an application against CAA, not for any sort of production use.

So far I've followed http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html for advice on generating my CA, server, and client encryption information. I've put all three of them into /etc/ssl/ca/private. I've setup the following additional directives in my default_ssl site file:

I've install the p12 file into Chrome, but when I go to visit https://localhost, I get the following errors

Chrome: Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Apache: Certificate Verification: Error (18): self signed certificate

If I had to guess, one of my directives is not setup right to load and verify the p12 w/ my self created CA. But I can't for the life of me figure out what it is. Would anyone have more experience here who could point me in the right direction?

3 Answers
3

Firstly, I would suggest to avoid to use both SSLCACertificatePath and SSLCACertificateFile at the same time. SSLCACertificatePath is used to point to a directory containing multiple files, one for each CA certificate you trust. SSLCACertificateFile is used to point to a single file, being the concatenation of all the CA certificates you trust. It doesn't really make sense to point SSLCACertificatePath to a directory that also holds private keys (although I'm not sure it would cause problems anyway).

What matters is that the client certificate you're using is issued by one of the CA certificates (pointed to either by whichever of SSLCACertificatePath or SSLCACertificateFile you'll be using): the issuer DN of your client certificate must be the subject DN of one of the CA certificates you've configured this way in Apache Httpd (in addition, it must really be issued by that CA, so your client certificate's signature must be verifiable by the CA certificate's public key, but I'm assuming you've created your CA and issued certificates properly: you may want to check this, just in case).

You can check the content of a certificate (CA or not) in PEM form (often .pem or .crt) using:

openssl x509 -text -noout -in filename.pem

(This should display enough information about the certificate.)

EDIT:

Just in case there might be an issue with your certificates, you could try these test certificates:

You can import testclient.p12 into your browser. cacert.pem is the CA certificate in PEM format, and localhost-cert.pem is a server certificate for localhost (so it's intended for testing from the machine itself). localhost-key.pem is the private key for the server certificate. You can unprotect it using:

openssl rsa -in localhost-key.pem -out localhost-key-unprotected.pem

You might need to trust cacert.pem temporarily in your browser, but remove it after the tests (because obviously testtest is not much of a secret, so anyone could use this CA).

Reduced it down to just SSLCACertificateFile. Re-ran the instructions from above link, placing them carefully into 3 bash scripts (ca, server, and client). Reloaded all certs. No luck. Gonna have to look for another walkthrough, maybe something more recent.
–
decoyDec 21 '11 at 15:56

@decoy, Just in case there's a problem with your certificates, you could try the test certificates I've just mentioned.
–
BrunoDec 23 '11 at 14:22

1

The problem was with my certificates. I had to ensure the Common Name was different between Client and Server. Otherwise it got angry and threw the above error. I gave you the check for leading me to the answer. Testing using your certs helped me cross off a lot of possible problems. Thanks again!
–
decoyJan 4 '12 at 14:18

I had the same problem (under Nginx). Solution was to make my client common name something other than the server's certs common name. Originally I thought that my cert CN had to match the FQDN of the server cert..